Dan C. Marinescu Cloud Computing: Theory and Practice.

Chapter 9
• Contents
 Security in an interconnected world, cloud security risks.
 Attacks in a cloud environment, top threats.
 Security, a major concern for cloud users.
 Privacy.
 Trust.
 Operating systems security.
 Virtual machine security.
 Security of virtualization.
 Security risks posed by shared images.
 Security risks posed by a management OS.
• Computer security in the new millennium
 Malware can travel easily across national borders, infect
systems worldwide, and transfer from one system to another in
today's networked environment.
As society grows more and more dependent on the information
infrastructure, the security of computing and communication
networks becomes even more important. Vulnerabilities in
computer security can be used to target even a country's
essential infrastructure.
 Recently, the term cyberwarfare has entered the dictionary
meaning “actions by a nation-state to penetrate another nation's
computers or networks for the purposes of causing damage or
disrupt
• Cloud security
 A computer cloud is a target-rich environment for malicious individuals
and criminal organizations.
 Major concern for existing users and for potential new users of cloud computing services.
Outsourcing computing to a cloud generates new security and privacy concerns.
 Standards, regulations, and laws governing the activities of organizations supporting cloud
computing have yet to be adopted. Many issues related to privacy, security, and trust in cloud
computing are far from being settled.
 There is the need for international regulations adopted by the countries where data centers of
cloud computing providers are located.
 Service Level Agreements (SLAs) do not provide adequate legal protection for cloud computer
users, often left to deal with events beyond their control.
• Cloud security risks
 Traditional threats  impact amplified due to the vast amount of cloud
resources and the large user population that can be affected. The fuzzy
bounds of responsibility between the providers of cloud services and
users and the difficulties to accurately identify the cause.
 New threats  cloud servers host multiple VMs; multiple applications
may run under each VM. Multi-tenancy and VMM vulnerabilities open
new attack channels for malicious users. Identifying the path followed
by an attacker more difficult in a cloud environment.
 Authentication and authorization  the procedures in place for one
individual does not extend to an enterprise.
 Third-party control (external organization or service provider) generates a spectrum of
concerns caused by the lack of transparency and limited user control.
• In other words, Users do not have direct visibility into how the cloud provider manages their data,
applications, or infrastructure. This lack of insight can lead to concerns about how securely their data is
handled, where it is stored, or how it is processed
 Availability of cloud services  system failures, power outages, and
other catastrophic events could shutdown services for extended periods of time
• Attacks in a cloud computing environment
 Three actors involved; six types of attacks possible.
 The user can be attacked by:
 Service 
• SSL certificate spoofing: An attacker creates a spoof SSL certificate that mimics a real one that a
cloud provider uses. Users may be tricked into accepting a fake certificate when they connect to
the cloud serviattacks on browser cachesce, thinking they are safely connected to the authentic
service.
• attacks on browser caches: Attackers exploit vulnerabilities in the user's browser cache, where data
from previous browsing sessions is stored temporarily. This can include sensitive information like
authentication tokens, session cookies, or cached web pages from the cloud service.
• phishing attacks: Attackers send deceptive messages (emails, texts, etc.) pretending to be from a
trusted cloud service provider. These messages often contain links to fake websites that look
identical to the legitimate cloud service login page.
 The cloud infrastructure  attacks that either originates at the cloud or spoofs to originate from the cloud
infrastructure

 The cloud infrastructure can be attacked by:

 A user  targets the cloud control system.where the attacker aims to exploit
vulnerabilities or misconfigurations in these critical components.

 A service  requesting an excessive amount of resources and

causing the exhaustion of the resources
• The service can be attacked by:
 A user the common types of attacks
• buffer overflow: happens when the cloud services or applications running
on the cloud have poorly managed memory buffers, attackers can
exploit these weaknesses by sending data that exceeds the
allocated buffer size. this could lead to arbitrary code execution,
where the attacker gains control of the cloud service or application.
• SQL injection: Database-interacting web applications are frequently hosted via
cloud services. It is possible for an attacker to put malicious SQL code into a
query if these programs fail to properly validate or filter user input.
• privilege escalation:describes the method by which a hacker obtains elevated
access to resources that are normally reserved for authorized users. The
effects are dangerous since an intruder may be able to take confidential
information, alter resources, or interfere with services.
 The cloud infrastructure  the most serious line of attack. Limiting
access to resources, privilege-related attacks, data distortion, injecting
additional operations(e.g. Adding a malicious service module to a SaaS or
PaaS system, or an infected VM to an IaaS system, and diverting user
traffic to it.).
• Top threats to cloud computing
 Identified by a 2010 Cloud Security Alliance (CSA) report:
 The abusive use of the cloud - the ability to conduct nefarious
activities from the cloud.
 APIs that are not fully secure - APIs and user interfaces are
the fundamental elements of cloud system connections with
clients
• API (Application programming interface)set of rules,
protocols, and tools that allows different software applications
to communicate and interact with each other. APIs define the
methods and data formats that applications can use to
request and exchange information
• securing APIs from corruption or human mistakes is
necessary to cloud security.

• Allowing access via encrypted keys, which are required to

authenticate API users and prevent unintentional and
Top threats to cloud computing-Continued
 Malicious insiders - cloud service providers do not disclose their hiring standards and
policies, so this can be a serious threat.
 Shared technology: In a shared multi-tenant cloud system, an attacker may exploit a
vulnerability or improperly configured or poorly isolated cloud service component to
compromise cloud data security and result in a data breach. To protect against shared
technology vulnerabilities, best practices for client implementation and data management
should be used.
 Account hijacking: a kind of cyberattack in which someone else uses methods
like phishing and fraud to enter a user's internet account without that user's
permission
 Data loss or leakage - if only one copy of the data is stored on the cloud, then sensitive
data is permanently lost when cloud data replication fails followed by a storage media
failure.
 Note: Cloud providers often replicate data across multiple data centers to ensure redundancy and reduce the risk of data
loss.

 Unknown risk profile :

• An unknown risk profile in cloud computing refers to the situation where the risks
associated with using cloud services are not fully understood or are underestimated. This
can happen due to: Lack of Knowledge, Rapid Technological Changes,
Underestimating Threats
• Top threats to cloud computing-Continued

 Data breaches (‫ )خرق البيانات‬: occurs when an unauthorized third party

maliciously gains access to data at rest in a cloud infrastructure or data in transit for
compromising its integrity. The attractive targets are the cloud data and file servers that
hold massive volume of data.
 Data locality: Cloud service consumers are not aware of where their data is stored due to
virtualization. However, legal implications of using, sharing and storing of data exist and vary from
one country to another based on relevant laws and policies regarding intellectual property

•
• Auditability of cloud activities
 The lack of transparency makes auditability a very difficult proposition for cloud computing.
 Auditing guidelines elaborated by the National Institute of Standards (NIST) such as the Federal
Information Processing Standard (FIPS) and the Federal Information Security Management Act
(FISMA) are mandatory for US Government agencies
 Cloud CIA security model
• Due to the multi-tenancy structure of the cloud computing
system, cloud data is highly vulnerable to a number of
security threats.
• However, the level of vulnerability of the cloud resources
depends on the cloud delivery model(IAAS,SAAS,PAAS) used
by a cloud service consumer.
• The major challenges of cloud resources are confidentiality,
integrity and availability (CIA)
 Data confidentiality
• Data confidentiality in cloud computing refers to the protection of
data from unauthorized access or disclosure while it is stored,
processed, or transmitted in the cloud.
• Data privacy is a simplified version of data confidentiality.
• Data privacy is the guarantee that an individual's personal
information will never be shared with third parties.
• However, since sharing is illegal, maintaining privacy is far simpler
than maintaining confidentiality.
• Data security in public clouds is the exclusive responsibility of the
cloud service provider. Resource management, task scheduling, and
virtualization are used to enforce data confidentiality.
• On the other hand, with cross-VM sidechannel attacks, attackers can
obtain complete access to the host and retrieve data from a target
virtual machine on the same system.
• Note:
• cross-VM side-channel attack
• One kind of security vulnerability in virtualized systems
• in which a malicious virtual machine (VM) uses shared hardware resources to
get private data from other VMs co-located on the same physical host.
• By taking advantage of the common infrastructure of cloud settings and the
basic features of virtualization, these attacks are able to break the separation
between virtual machines and obtain unauthorised data.
 CASE STUDY EXAMPLE

• A company called Innovartus

discovered that users accessing
their User Registration Portal over
public Wi-Fi or unsecured LANs
were transmitting personal profile
details in plaintext, making the
data vulnerable to interception.
To address this security risk,
Innovartus quickly implemented
encryption on its Web portal by
switching to HTTPS, ensuring that
all data transmitted between
users and the portal is securely
encrypted and protected from
unauthorized access.

Note: these examples are from the book:Cloud Computing Concepts, Technology & Architecture
Data integrity
• The process of making sure that cloud customers' data is
protected from unauthorised modification—that is, that
the data hasn't been altered in any way by outside parties
.
• The cloud service provider must make sure that access
restrictions to data in transit or storage are enforced
against third parties in order to guarantee data integrity.
 CASE STUDY EXAMPLE

• ATN is migrating some applications

that handle highly sensitive corporate
data to its PaaS platform, hosted in
the cloud to allow trusted partners to
access and use the data for critical
calculations and assessments. To
protect the integrity of this data and
prevent unauthorized tampering, ATN
decides to implement a hashing
mechanism.
• Cloud resource administrators work
with the cloud provider to integrate a
digest-generating process for each
application version deployed in the
cloud. The hash values are securely
logged in an on-premise database,
and the process is regularly repeated
and analyzed to detect any
unauthorized actions or alterations to
 Digital Signature
• Data integrity and authenticity can be ensured by the digital signature process. Prior to
transmission, every message is given a digital signature, which becomes invalid in the
event that any illegal changes are made to the message afterward. Proof of the
message's authenticity that was created by its legitimate sender is provided by a
digital signature.
 CASE STUDY
EXAMPLE
• DTGOV, expanding its services to
public-sector clients, needed to
revise its cloud policies to protect
sensitive government data. To
enhance security, DTGOV
implemented digital signatures in
its Web-based management
environment. This ensures that all
actions are authenticated and
traceable, reducing the risk of
unauthorized access and
preventing tampering, thereby
safeguarding the integrity of critical
operations like server provisioning,
SLA tracking, and billing
Data availability
• This feature means that real data owners—cloud service
customers, in this case—can easily access their data
and that no threatening party has been able to deny
them access .
• It might also be a reference to the uptime and
continuous operation of a virtual machine or cloud data
server.
• The primary danger to data availability, however, is a
denial-of-service (DoS) assault.
Cloud-Based Security Groups

• Cloud-Based Security Groups are logical groupings within a cloud environment

that define security rules for controlling the flow of traffic to and from the
resources within those groups. These groups help in segmenting networks into
smaller, isolated sections, allowing administrators to apply specific security
policies to each segment.

• different virtual servers or resources are assigned to various security groups.

Each security group has rules that govern communication between the groups,
thereby creating isolated environments with tailored security measures. This
approach minimizes the risk of unauthorized access and enhances overall
security by enforcing boundaries around resources in a cloud environment.
• Data protection in cloud environments is enhanced through resource
segmentation, which involves creating separate physical and virtual IT
environments for different users and groups. This process allows organizations
to partition their networks according to specific security needs, such as having
separate networks with and without firewalls based on user access
requirements.
Cloud computing security architecture
• The most important and basic factor that determines
the degree of security that would be present throughout
the cloud computing is the security architecture.
• Although there isn't yet a widely recognised formal
standard for cloud security architecture, a reliable cloud
security architecture needs to be created to provide the
best possible protection for the cloud ecosystem and its
related capabilities in an effective way.
• Figure 6.1 shows a basic cloud security architecture.
The user, the service provider, the virtual machine, and
the datacenter comprise this layered architecture:
 1. user layer
• The user layer consists of several components, including programming, cloud
applications, tools, and environments.
• Cloud applications, also known as Software as a Service (SaaS) applications, are
software applications that are hosted and operated in the cloud, allowing users to
access them over the internet.

• Examples of such cloud applications include OneDrive, Microsoft Teams,

ZOOM,DropBox,Gmail and so on.
• However, common security implementations at the user layer include, but are not
limited to,
Browser Security, Authentication and Security-as-a-Service
service-oriented security
• Security-as-a-service is a service-oriented security mechanism
for protecting the user layer of the cloud computing ecosystem

• It consists of two main methods.

• In the first method, security-as-a-service can be requested or
provided as needed by the customer, the supplier, and reputable
information security suppliers.
• The second method , security is provided as a cloud service by
the cloud service provider in conjunction with information
security companies like the antimalware vendors delivering SaaS
to filter email messages.
• Example: mail antivirus
Browser security
• Cloud users can access their subscribed services from anywhere at any time using a basic web
browser.
• Many policies have been proposed to secure browsers; the two most popular ones are
• the Legacy Same Origin Policy (SOP) The Same-Origin Policy (SOP) is a fundamental security
concept in web browsers that prevents scripts from one origin (e.g., domain, protocol, or port) from
accessing resources from a different origin

• The SOP is a web browser security mechanism that aims to prevent websites from
attacking each other. It restricts cross-origin interactions in the following ways:
• Scripts: Scripts loaded from one origin cannot access the DOM (Document Object
Model) of documents from a different origin.
• Cookies: Cookies set by scripts from one origin are not accessible to scripts from a
different origin.

• TLS(Transport Layer Security) provides web apps with the ability to authenticate the server's
domain name and protect data while it's being transported.
Authentication
• Because cloud data is widely accessible via the internet, the primary function
of an access control mechanism in the cloud ecosystem is user authentication.
• In hosted and virtual services, authentication is the most commonly targeted
attack centre point
• Numerous mitigation techniques for authentication attacks have been
developed
• An example of the authentication standard adopted in the cloud is the Trusted
Platform Module (TPM).
• TPM is commonly available and a more reliable authentication scheme than the
password login verification check.
• A TPM, or a trusted platform module, is a physical or embedded security
technology (microcontroller) that resides on a computer's motherboard or in
its processor. TPMs use cryptography to help securely store essential and
critical information on PCs to enable platform authentication.
• It uses an IF-MAP (Interface for Metadata Access Points) standard to exchange
information about user identities, access policies, and device statuses
between cloud-based authentication services and network devices.
2. service provider layer
• the important components of this layer include resource
provisioning, SLA Monitor, Scheduler & Dispatcher,
Metering, Load Balancer, Accounting, Policy Management
and Advance Resource Reservation Monitor.
• Security concerns in the service provider layer include Data
transmission, Privacy, People and Identity, Infrastructure
management, Audit and Compliance, Cloud integrity and
Biding Issues.
Identity and access management
• Identity and access management (IAM) involves the Authentication, Authorization and
Auditing (AAA) of users accessing cloud services.

• IAM mechanisms are made up of four primary parts:

1.Centralized Identity Management: Cloud service
providers offer centralized identity management systems that
allow administrators to create, manage, and control user
accounts, groups, and roles. These systems enable
administrators to define access policies, assign permissions,
and manage user identities across the cloud environment.
2.Authentication : Username and password combinations remain the most
common forms of user authentication credentials managed by the IAM system, which also
can support digital signatures, digital certificates, biometric hardware (fingerprint readers),
specialized software (such as voice analysis programs), and locking user accounts to
registered IP or MAC addresses.
3. Role-Based Access Control (RBAC): RBAC is a key component of IAM in
cloud environments. Cloud service providers enable administrators to define
roles with specific permissions and assign these roles to users or groups.
RBAC simplifies access management by granting permissions based on users'
roles within the organization, minimizing the risk of unauthorized access.

4. Fine-Grained Access Control: In addition to RBAC, cloud service

providers support fine-grained access control mechanisms that allow
administrators to specify granular permissions for individual resources or
actions. This ensures that users and entities have access only to the
resources they need to perform their tasks, enhancing security and
minimizing the risk of data breaches.

5. Identity Federation: Cloud service providers offer identity federation

capabilities that allow organizations to integrate their existing identity
management systems with cloud-based services. This enables seamless and
secure authentication and access control across on-premises and cloud
environments, without the need for separate credentials
Single Sign-On (SSO)
• Propagating the authentication and authorization information for a cloud
service consumer across multiple cloud services can be a challenge, especially
if numerous cloud services or cloud-based IT resources need to be invoked as
part of the same overall runtime activity.

• Single Sign-On (SSO) is an authentication mechanism that

allows users to access multiple applications or services with a
single set of login credentials. Instead of requiring users to log
in separately to each application or service, SSO enables them
to authenticate once and gain access to all authorized
resources without needing to re-enter their credentials.
•
• how Single Sign-On works:
1. A cloud service consumer provides the security broker (Identity Provider) with login credentials (1).
2. The security broker responds with an authentication token (message with small lock symbol) upon successful
authentication, which contains cloud service consumer identity information (2) that is used to automatically
authenticate the cloud service consumer acoss Cloud Services A, B, and C (3).
- The credentials received by the security broker are propagated to ready-made environments across two
different clouds.
- the security broker acts as an intermediary or federation service that facilitates Single Sign-On (SSO) across
multiple cloud environments.
- The security broker is responsible for selecting the appropriate security procedure with which to contact
each cloud.
Privacy
• One of the biggest problems with cloud computing is privacy.
Many nations have strict limits on the use, management,
storage, and access to personal data, and these regulations
differ depending on the location of the data.
• In order to protect the organization's data privacy, a cloud
service provider must strictly adhere to service level
agreements. Failure to do so could have fatal effects, as well
as unnecessarily high management costs. To address
identity management, data protection, secure operations,
privacy, and other security and legal-related concerns, an
efficient assessment plan must be developed.
Cloud Integrity and Binding Issues
• Coordinating and managing instances of virtual machines (IaaS) or explicit
service execution modules (PaaS) is an essential requirement in the cloud
computing ecosystem. In case of a user request, the cloud system is in
charge of identifying a freely accessible instance of the desired service's
implementation type and sending the user the address of the new instance
so they can use it. A common attack is called a "cloud malware injection
attack,"

• A cloud malware injection attack, also known as a cloud-based code

injection attack, is a type of cyberattack where malicious code is injected
into a cloud-based application or service to compromise its integrity,
availability, or security. This type of attack exploits vulnerabilities in the
cloud environment to inject and execute malicious code, allowing
attackers to gain unauthorized access, steal data, or disrupt services.
Flooding attacks

• Through the use of virtual machines, a cloud computing

environment offers dynamic hardware requirements adaption
based on the real workload. Nonetheless, the DoS is a frequent
security threat to the hardware resources' accessibility and
availability.
• A denial-of-service (DoS) attack happens when a host gets
flooded with a large volume of requests from several machines in
an attempt to stop it from answering legitimate requests quickly.
The server's hardware resources are totally consumed during a
flooding attack, making the hardware system incapable of
carrying out any planned functions. This may result in the cloud
computing environment's resources or services not being
available.
Accounting and accountability
• Accounting and accountability is a significant cost-effective motivator to
adopt cloud services.
• customers are charged based on the actual usage of cloud services
• Cloud service providers often operate under a shared responsibility
model, where they are responsible for the security and availability of the
underlying cloud infrastructure, while customers are responsible for
securing their applications, data, and access credentials. In the case of a
DDoS attack, it is typically the responsibility of the cloud provider to
mitigate the attack and ensure the availability of their services.
• Cloud (SLAs) define the level of service, uptime guarantees, and
compensation mechanisms in case of service disruptions. If a DDoS
attack leads to a violation of the SLA, the customer may be eligible for
compensation or service credits, rather than being billed for the
additional workload caused by the attack.
3. virtual machine layer
• It is composed of several instances of virtual machines, operating systems and
monitoring applications.
• Virtual machine layer security considerations include cloud legal and regulatory issues,
VM Escape, VM Sprawl, Infrastructure, Identity and Access management as
well as separation between customers and others.
 VM Sprawl
• VM Sprawl is the uncontrolled growth of virtual machines within an environment.
Virtualization technologies have made it easy to create and deploy VMs. That; why
sometimes organizations end up with a large number of VMs that are
underutilized, not properly managed, or even forgotten.
• VM sprawl challenges:
• Resource Waste. Unused VMs consume resources like storage, memory, and
CPU cycles that could be used elsewhere.
• Increased costs. The more VMs there are, the higher the costs. These include
licensing fees for software and potential hardware expansion needs.
• Management overhead. A high number of VMs requires more oversight.
• Security risks. Forgotten VMs probably won’t receive necessary security
updates, which makes them potential vulnerabilities in the network.
• Backup and recovery issues. VM sprawl can lead to challenges in data
protection strategies — it’s difficult to back up and recover information from
unmanaged virtual machines.
• Causes of VM Sprawl:
• Ease of VM creation: With virtualization, creating a new VM is often just a
matter of a few clicks.
• Lack of VM lifecycle management: VMs continue to exist long after their
useful life has ended.
• No clear ownership: If it’s unclear who is responsible for a VM, it continues to
exist without oversight.
Virtual machine escape
• VM escape is a security situation which occurs when a
total system failure is experienced due to improperly
configured virtual machines.
• VM escape refers to a security vulnerability that allows
an attacker to break out of a virtual machine and gain
unauthorized access to the underlying hypervisor
or host system. In other words, it enables an attacker
to bypass the isolation and protection mechanisms
provided by the virtualization layer.
• Rogue Hypervisors : A rogue hypervisor refers to a malicious
or unauthorized hypervisor that is installed and running on physical
hardware without the knowledge or consent of the legitimate
administrators.

• Increased Denial of Service Risk: The threat of DoS attacks is no different

in virtualized systems as
being experienced in physical systems. The denial of service risks continues to grow
tremendously in virtualized systems, the host or an external service because virtual
machines share the host's
resources such as disk, processor, memory, I/O devices, and so on.
VM security recommendations (best practices security
techniques)
• Securing the host operating system (OS) in a cloud
environment is crucial for maintaining the overall
security of the cloud infrastructure and protecting the
data and applications hosted on it.
Some practices for securing the host OS in a cloud environment
• Regular Patching and Updates: Keep the host OS up-to-date with security
patches and updates provided by the OS vendor. This helps address known
vulnerabilities and protects against potential exploits.
• Strong Authentication and Access Control: Implement strong
authentication mechanisms such as SSH(Secure Shell) keys or multi-factor
authentication (MFA) for accessing the host OS. Use role-based access control
(RBAC) to limit access to authorized users and enforce the principle of least
privilege.
• Using Encrypted Communications to provide secure communications via
cryptography techniques like Secure Shell (SSH), Transport Layer
Security (TLS), Secure HTTP (HTTPS) and encrypted Virtual Private
Networks (VPNs)
• Firewall Configuration: Configure firewalls on the host OS to restrict
incoming and outgoing network traffic based on predefined rules. Use firewall
rules to block unnecessary ports and protocols and allow only essential
communication.
• Implementing File Integrity Checks by using a verification process of
the files for accurate consistency retention.
• Securing VM Remote Access by managing remote access to VM
Separation between users
• It's important to keep users of a cloud provider apart to
prevent unintentional or intentional access to private data.
• Strong virtual network separation methods, virtual machine
integrity checks, and hardware-based hypervisor verification
are all requirements for the cloud service provider.
• Virtual machine (VM) integrity checks refer to the process of verifying
the integrity and security of virtual machines within a virtualized
environment to checks that VMs have not been attacked. Techniques
used may be using hashing, Continuous Monitoring, Hypervisor-
Based Integrity Monitoring,..
• Strong virtual network separation methods in virtualized cloud
environments are crucial for ensuring the security and isolation of
network traffic between different virtual machines (VMs) and tenant
environments. methods used to achieve it are
• Virtual LANs (VLANs)
• Virtual Private Cloud (VPC): In cloud environments like Amazon Web
Services (AWS) and Google Cloud Platform (GCP), a VPC enables users to
create isolated virtual networks within the cloud infrastructure. VPCs allow
users to define their own IP address ranges, subnets, route tables, and
network access control policies, providing strong network separation between
different tenant environments.
• Software-Defined Networking (SDN): which is a networking architecture
approach. It enables the control and management of the network using
software applications. Through Software Defined Network (SDN) networking
behavior of the entire network and its devices are programmed in a centrally
controlled manner through software applications using open APIs.
• Network Function Virtualization (NFV): NFV allows network functions
such as firewalls, load balancers, and intrusion detection systems to be
implemented as virtualized network services running on top of commodity
hardware or cloud infrastructure.
Cloud legal issues
• A cloud provider must be aware of strong policies that
address regulatory and legal issues and each cloud
consumer is expected to consider issues like legal
discovery and compliance, data retention and
destruction, data security and export, and auditing
when preparing a service level agreement with a cloud
service provider
4. data center layer
• is the infrastructure layer which is composed of the
servers, storage, memory, the CPU and other cloud
service resources, typically denoting an
Infrastructure-as-a-Service (IaaS) layer.
• However, key security concerns in this layer are
physical security, Secure data storage, and
Security: Network and Server.
Secure data- storage
• Maintaining the confidentiality, integrity, and availability of
sensitive data kept in cloud environments depends on cloud
storage security. Some practices used to achieve this is:
• Data Encryption: Encrypting data at rest and in transit for protecting
sensitive information from unauthorized access. Utilize strong encryption
algorithms such as AES to encrypt data before storing it in the cloud.
• Key Management: Implement robust key management practices to
securely generate, store, and manage encryption keys used to encrypt
and decrypt data.
• Data Classification and Segmentation: Sort data according to its
significance and sensitivity, then use data segmentation techniques to
separate sensitive from less important information. Keep extremely
sensitive data in separate storage containers with extra security
measures and monitoring.